@0xtarafans and @i2huer

Produced by PNM x Narya Labs

We are focused on dissecting crypto/Web3 exploits in the real world

TL;DR

On March 20, 2022, LI.FI., a cross-chain bridge aggregation protocol was hacked with a loss of ~$600K. The attacker exploited a bug in the smart contract on Ethereum.

Transaction

Exploit

A functional PoC of the hack developed by PNM white hats

postmortem/2022/lifi at main · PwnedNoMore/postmortem

Vulnerability

CBridgeFacet is the vulnerable smart contract that delegates the cross-chain token transfer requests to CBridge.

• Proxy contract

• Logical contract

Supposing not having the targeted token (_cBridgeData.token) to be transferred cross the chains, we can call the public function swapAndStartBridgeTokensViaCBridge() of CBridgeFacet.

• The function supports swapping different tokens to the targeted token through a sequence of swaps executed by LibSwap.swap()
• After swapping, the function validates that the performed swaps have increased the number of the targeted token owned by CBridgeFacet indeed.